LemonDuck Malware Detection: Exploits CVE-2017-0144 and Other Microsoft’s Server Message BlockSMB Vulnerabilities for Cryptocurrency Mining

[post-views]
October 10, 2024 · 4 min read
LemonDuck Malware Detection: Exploits CVE-2017-0144 and Other Microsoft’s Server Message BlockSMB Vulnerabilities for Cryptocurrency Mining

LemonDuck, a notorious crypto-mining malware, has been observed targeting Windows servers by exploiting known vulnerabilities in Microsoft’s Server Message Block (SMB) protocol, including the EternalBlue flaw tracked as CVE-2017-0144. The malware has evolved into a more advanced threat capable of credential theft, enriched with detection evasion techniques, and spreading through multiple attack vectors.

Detect LemonDuck Malware Attacks Exploiting SMB Vulnerabilities in Windows Servers

Cryptomining attacks have surged in recent years, making it crucial to raise awareness about cryptojacking. A recent campaign by LemonDuck cryptominer operators exemplifies this growing threat, exploiting Microsoft Server SMB vulnerabilities—such as EternalBlue—while using sophisticated evasion techniques to maximize its impact.

To stay on top of the LemonDuck attacks, cyber defenders might rely on SOC Prime Platform for collective cyber defense aggregating tailored detection rules backed by a complete product suite for advanced threat detection, automated threat hunting, and AI-powered detection engineering. Just press the Explore Detections button to immediately drill down to a relevant collection of Sigma rules.

Explore Detections

The SOC Prime Team, in collaboration with expert Threat Bounty developers, has developed 13 detection rules designed to identify malicious activities tied to LemonDuck attacks. These rules are fully compatible with more than 30 SIEM, EDR, and Data Lake platforms and are aligned with the MITRE ATT&CK® framework. Each detection rule is enhanced with rich metadata, such as threat intelligence links, attack timelines, triage suggestions, audit recommendations, and other valuable insights to aid in effective threat detection. 

Interested in joining SOC Prime’s crowdsourcing initiative? Skilled cybersecurity professionals looking to enhance their Detection Engineering and Threat Hunting expertise can contribute to the industry by participating in our Threat Bounty Program. This initiative allows detection content creators to not only sharpen their skills but also earn financial rewards, all while playing a crucial role in strengthening global cybersecurity efforts.

LemonDuck Malware Analysis

With the significant rise in crypto malware designed to perform illegal mining (cryptojacking) and the continuous evolution of such malicious strains, global organizations and individual users are looking for ways to enhance their defensive capabilities. NetbyteSEC currently published research into the LemonDuck malware, which has evolved from a simple cryptocurrency mining botnet into a more sophisticated threat targeting Windows servers since its emergence in 2019.

LemonDuck has been detected weaponizing the known EternalBlue vulnerability (CVE-2017-0144) along with other Microsoft SMB flaws to infiltrate networks, disable security measures, and mine cryptocurrency. The malware applies multiple infection vectors, including phishing emails, is capable of brute-force password attacks, and employs PowerShell to evade detection and deploy malicious payloads for cryptojacking.

At the initial attack stages, adversaries leveraged the IP address 211.22.131.99 to perform brute-force attacks against the SMB machine and successfully gained access by logging in as a local user named Administrator. After logging into the account, attackers set up a hidden administrative share for the C: drive, granting remote access to the drive for users with elevated credentials. This hidden share enabled adversaries to maintain persistence, gain remote access, and bypass detection while carrying out malicious actions via batch files and PowerShell scripts. The latter involves network exploitation setup, downloading and executing scripts, creating and renaming executables, configuring scheduled tasks for persistence, altering firewall rules, starting the driver and forcing system reboots as a means of detection evasion and anti-malware analysis. The attack ends with cleanup to hinder the traces of infection and final execution.

The malware disables Windows Defender’s real-time monitoring and performs other offensive operations to maintain stealth and facilitate C2 communication, enabling attackers to control the system or exfiltrate data while evading detection by security tools. In addition, LemonDuck attempts to download more malicious scripts and uses Mimikatz to steal credentials, potentially allowing it to move laterally within the network.

With the evolution of LemonDuck stealthy crypto-mining malware leveraging multiple detection evasion techniques, organizations are encouraged to regularly update all operating systems and software to safeguard against known SMB vulnerabilities like EternalBlue and reduce the risks of compromise. By relying on SOC Prime Platform for collective cyber defense, security engineers can build a future-proof cybersecurity posture to always stay ahead of emerging threats. 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts